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Abstract 

Quantum computers can break the RSA and El Gamal public-key cryptosystems, since they can 
factor integers and extract discrete logarithms. If we believe that quantum computers will someday 
become a reality, we would like to have post-quantum cryptosystems which can be implemented today 
with classical computers, but which will remain secure even in the presence of quantum attacks. 

In this article we show that the McEliece cryptosystem over well-permuted, well-scrambled linear 
codes resists precisely the attacks to which the RSA and El Gamal cryptosystems are vulnerable — 
namely, those based on generating and measuring coset states. This eliminates the approach of strong 
Fourier sampling on which almost all known exponential speedups by quantum algorithms are based. 
Specifically, we show that the natural case of the Hidden Subgroup Problem to which the McEliece 
cryptosystem reduces cannot be solved by strong Fourier sampling, or by any measurement of a coset 
state. We start with recent negative results on quantum algorithms for Graph Isomorphism, which are 
based on particular subgroups of size two, and extend them to subgroups of arbitrary structure, includ- 
ing the automorphism groups of linear codes. This allows us to obtain the first rigorous results on the 
security of the McEliece cryptosystem in the face of quantum adversaries, strengthening its candidacy 
for post-quantum cryptography. 



1 Introduction 



Considering that common public-key cryptosystems such as RSA and El Gamal are insecure against quan- 
tum attacks, the susceptibility of other well-studied public -key systems to such attacks is naturally of fun- 
damental interest. In this article we present evidence for the strength of the McEliece cryptosystem against 
quantum attacks, demonstrating that the quantum Fourier sampling attacks that cripple RSA and El Gamal 
do not apply to the McEliece system coupled with well-permuted, well-scrambled linear codes. While our 
results do not rule out other quantum (or classical) attacks, they do demonstrate security against the hidden 
subgroup methods that have proven so powerful for computational number theory. Additionally, we par- 
tially extend results of Kempe et al. |§] concerning the subgroups of S n reconstructible by quantum Fourier 
sampling. 



The McEliece cryptosystem. This public-key cryptosystem was proposed by McEliece in 1978 [11], and 
is typically built over Goppa codes. There are two basic types of attacks known against the McEliece 
cryptosystem: ciphertext only attacks, and attacks on the private key. The former is unlikely to work because 
it relies on solving the general decoding problem, which is NP-hard. The latter can be successful on certain 
classes of linear codes, and is our focus. In the McEliece cryptosystem, the private key of a user Alice 
consists of three matrices: aix/i generator matrix M of a hidden g-ary [n,k] -linear code, an invertible k X k 
matrix A over the finite field ¥ q , and annx/i permutation matrix P. Both matrices A and P are selected 
randomly. Alice's public key includes the matrix M* = AMP, which is a generator matrix of a linear code 
equivalent to the secret code. An adversary may attack the private key by first computing the secret generator 
matrix M, and then computing^ the secret row "scrambler" A and the secret permutation P. 

There have been some successful attacks on McEliece-type public-key systems. A notable one is Sidel- 
nokov and Shestakov's attack which efficiently computes the matrices A and MP from the public matrix 
AMP, in the case that the secret code is a generalized Reed-Solomon (GRS) code. Note that this attack does 
not reveal the secret permutation. An attack in which the secret permutation is revealed was proposed by 
Loidreau and Sendrier [9]. However, this attack only works with a very limited subclass of classical binary 
Goppa codes, namely those with a binary generator polynomial. 

Although the McEliece cryptosystem is efficient and still considered (classically) secure fl, it is rarely 



used in practice because of the comparatively large public key (see remark 8.33 in Ill2ll ). The discovery 



of successful quantum attacks on RSA and El Gamal, however, have changed the landscape: as suggested 



by Ryan IU7I1 and Bernstein et al. [2], the McEliece cryptosystem could become a "post-quantum" alternative 
to RSA. 



Quantum Fourier sampling. Quantum Fourier Sampling (QFS) is a key ingredient in most efficient al- 
gebraic quantum algorithms, including Shor's algorithms for factorization and discrete logarithm 11811 and 
Simon's algorithm 1201 . In particular, Shor's algorithm relies on quantum Fourier sampling over the cyclic 
group Zjv, while Simon's algorithm uses quantum Fourier sampling over ZJj. In general, these algorithms 
solve instances of the Hidden Subgroup Problem (HSP) over a finite group G. Given a function / on G 
whose level sets are left cosets of some unknown subgroup H < G, i.e., such that / is constant on each left 
coset of H and distinct on different left cosets, they find a set of generators for the subgroup H. 

The standard approach to this problem treats / as a black box and applies / to a uniform supeiposition 
over G, producing the coset state \cH) = { l / \/W\)Y,heH \ cn ) f° r a random c. We then measure \cH) in a 

1 Recovering the secret scrambler and the secret permutation is different from the Code Equivalence problem. The former finds 
a transformation between two equivalent codes, while the latter decides whether two linear codes are equivalent. 
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Fourier basis {|p, i, _/'}} for the space C[G], where p is an irrerJl of G and i,j are row and column indices 
of a matrix p{g). In the wea& form of Fourier sampling, only the representation name p is measured, while 
in the strong form, both the representation name and the matrix indices are measured. This produces proba- 
bility distributions from which classical information can be extracted to recover the subgroup H. Moreover, 
since \cH) is block-diagonal in the Fourier basis, the optimal measurement of the coset state can always be 
described in terms of strong Fourier sampling. 

Understanding the power of Fourier sampling in nonabelian contexts has been an ongoing project, and 
a sequence of negative results Ji, 13, (J have suggested that the approach is inherently limited when the 
underlying groups are rich enough. In particular, Moore, Russell, and Schulman IU3I1 showed that over the 
symmetric group, even the strong form of Fourier sampling cannot efficiently distinguish the conjugates of 
most order-2 subgroups from each other or from the trivial subgroup. That is, for any o € S n with large 
support, and most % £ S„, if H = {1, 7i~ l OTt} then strong Fourier sampling, and therefore any measurement 
we can perform on the coset state, yields a distribution which is exponentially close to the distribution 
corresponding to H = {1}. This result implies that the Graph ISOMORPHISM cannot be solved by the 
naive reduction to strong Fourier sampling. Hallgren et al. 10] strengthened these results, demonstrating 
that even entangled measurements on o(logn!) coset states result in essentially information-free outcome 
distributions. Kempe and Shalev |01 showed that weak Fourier sampling single coset states in S n cannot 
distinguish the trivial subgroup from larger subgroups H with polynomial size and non-constant minimal 
degreeH They conjectured, conversely, that if a subgroup H < S„ can be distinguished from the trivial 
subgroup by weak Fourier sampling, then the minimal degree of H must be constant. Their conjecture was 
later proved by Kempe, Pyber, and Shalev Q8[| . 



1.1 Our contributions 

To state our results, we say that a subgroup H < G is indistinguishable by strong Fourier sampling if the 
conjugate subgroups g~ l Hg cannot be distinguished from each other or from the trivial subgroup by mea- 
suring the coset state in an arbitrary Fourier basis. A precise definition is presented in Section 13.21 Since 
the optimal measurement of a coset state can always be expressed as an instance of strong Fourier sampling, 
these results imply that no measurement of a single coset state yields any useful information about H. Based 
on the strategy of Moore, Russell, and Schulman (lift , we first develop a general framework, formalized in 
Theorem 01 to determine indistinguishability of a subgroup by strong Fourier sampling. We emphasize that 
their results cover the case where the subgroup has order two. Our principal contribution is to show how to 
extend their methods to more general subgroups. 

We then apply this general framework to a class of semi-direct products (GL^(F 9 ) x S n ) I Z2, bounding 
the distinguishability for the HSP corresponding to the private-key attack on the McEliece cryptosystem, 
i.e., the problem of determining A and P from M* and M. Our bound, given in Corrolary [9] of Theorem [U 
depends on the minimal degree and the size of the automorphism group of the secret code, as well as on 
the column rank of the secret generator matrix. In particular, the rational Goppa codes have good values for 
these quantities, i.e., they have small automoiphism groups with large minimal degree, and have generator 
matrices of full rank. In general, our result indicates that the McEliece cryptosystem resists all known attacks 
based on strong Fourier sampling if its secret q-wy [n,fc]-code (i) is well-permuted, i.e., its automorphism 
group has minimal degree H(n) and size e°( n \ and (ii) is well-scrambled, i.e., it has a generator matrix of 
rank at least k — o(y/n). Here, we assume q k < n°- 2n , which implies log |GU(F g )| = 0(nlogn), so that Alice 

2 Throughout the paper, we write "irrep" as short for "irreducible representation". 

3 The minimal degree of a permutation group H is the minimal number of points moved by a non-identity element of H. 
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only needs to flip 0(nlogn) bits to pick a random matrix A from GU(F 9 ). Thus she needs only 0(nlogn) 
coin flips overall to generate her private key. 

While our main application is the security of the McEliece cryptosystem, we show in addition that our 
general framework is applicable to other classes of groups with simpler structure, including the symmetric 
group and the finite general linear group GI_2(F 9 ). For the symmetric group, we extend the results of 
1 1311 to larger subgroups of S n . Specifically, we show that any subgroup H < S n with minimal degree 
m > ©(log \H\) + ft)(logn) is indistinguishable by strong Fourier sampling over S n . In other words, if the 
conjugates of H can be distinguished from each other — or from the trivial subgroup — by strong Fourier 
sampling, then the minimum degree of H must be 0(log \H\ ) + O(logrc). This partially extends the results 
of Kempe et al. Jsl], which apply only to weak Fourier sampling. 

We go on to demonstrate another application of our general framework for the general linear group 
GI_2(F 9 ), giving the first negative result regarding the power of strong Fourier sampling over GI_2(F ? ). We 
show that any subgroup H < GL 2 (F f/ ) that does not contain non-identity scalar matrices and has order 
\H\ < q s for some 8 < 1/2 is indistinguishable by strong Fourier sampling. Examples of such subgroups 
are those generated by a constant number of triangular unipotent matrices. 



Remark Our results show that the natural reduction of McEliece to a hidden subgroup problem yields 
negligible information about the secret key. Thus they rule out the direct analogue of the quantum attack 
that breaks, for example, RSA. Our results are quite flexible in this hidden-subgroup context: they apply 
equally well to any HSP reduction resulting in a rich subgroup of GI_2(F 9 ), which seems to be the natural 
arena for the McEliece system. 

Of course, our results do not rule out other quantum (or classical) attacks. Neither do they establish 
that a quantum algorithm for the McEliece cryptosystem would violate a natural hardness assumption, as do 
recent lattice cryptosystem constructions whose hardness is based on the Learning With Errors problem (e.g. 
Regev il5n ). Nevertheless, they indicate that any such algorithm would have to use rather different ideas 
than those that have been proposed so far. 



1.2 Summary of technical ideas 

Let G be a finite group. We wish to establish general criteria for indistinguishability of subgroups H < G by 
strong Fourier sampling. We begin with the general strategy, developed in [13], that controls the resulting 
probability distributions in terms of the representation-theoretic properties of G. In order to handle richer 
subgroups, however, we have to overcome some technical difficulties. Our principal contribution here is a 
"decoupling" lemma that allows us to handle the cross terms arising from pairs of nontrivial group elements. 

Roughly, the approach (presented in Section [3^21 identifies two disjoint subsets, Small and LARGE, of 
irreps of G. The set LARGE consists of all irreps whose dimensions are no smaller than a certain threshold 
D. While D should be as large as possible, we also need to choose D small enough so that the set LARGE 
is large. In contrast, the representations in Small must have small dimension (much smaller than yD), 
and the set Small should be small or contain few irreps that appear in the decomposition of the tensor 
product representation p (g> p* for any p G LARGE. In addition, any irrep p outside Small must have small 
normalized character \% p {h)\/d p for any nontrivial element h £ H. If there are such two sets Small and 
Large, and if the order of H is sufficiently small, then H is indistinguishable by strong Fourier sampling 
over G. 

In the case G = GI^F^), for instance, we choose Small as the set of all linear representations and set 
the threshold D = q — 1. The key lemma we need to prove is then that for any nonlinear irrep p of GI_2(F ¥ ), 
the decomposition of p <g> p* contains at most two inequivalent linear representations. (Lemma [TTb. In the 
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case G = S n , we choose Small as the set A c of all Young diagrams with at least (1 — c)n rows or at least 
(1 — c)n columns, and set D = n dn , for reasonable constants < c,d < 1. For this case, we use the same 
techniques as in 11311 . 

For the case G = (GLk(¥ q ) x S n )lZ2 corresponding to the McEliece cryptosystem, the normalized char- 
acters on the hidden subgroup K depend on the minimal degree of the automoiphism group Aut(C), where 
C is the secret code. Moreover, \K\ depends on |Aut(C)| and the column rank of the secret generator matrix. 
Now we can choose Small as the set of all irreps constructed from tensor product representations % x A 
of GLyt(F^) x S n with X E A c . Then the "small" features of A c will induce the "small" features of this set 
Small. To show that any irrep outside Small has small normalized characters on K, we show that any 
Young diagram A outside A c has large dimension (Lemma [TTTl. 

2 Hidden Subgroup Attack Against McEliece Cryptosystems 

2.1 An attack via the hidden shift problem 

As mentioned in the Introduction, we consider the attack that involves finding the secret scrambler and 
permutation in a McEliece private key. 

Scrambler-Permutation Problem Given two k x n generator matrices M and M* of two equivalent linear 
codes over ¥ q , the task is to find a matrix A E GL^(F 9 ) and an n x n permutation P matrix such that M* = 
AMP. 

The decision version of this problem, known as CODE EQUIVALENCE problem, is not easier than 
Graph Isomorphism, although it is unlikely to be NP-complete [14]. The only known way to solve the 
Scrambler-Permutation problem using quantum Fourier sampling is to reduce it to a Hidden Shift Problem, 
which in turn can be reduced to a Hidden Subgroup Problem over a wreath product. 

Hidden Shift Problem Let G be a finite group and E be some finite set. Given two functions /o : G — > E 
and ft : G — > E on G, we call an element s E G a left shift from /q to f\ (or simply, a shift) if fo(sx) = f\ (x) 
for all iGG. We are promised that there is such a shift. Find a shift. 

The Scrambler-Permutation Problem is reduced to the Hidden Shift Problem over group G = GU (F ? ) x 
S„ by defining functions /o and ft on GU(F 9 ) x S„ as follows: for all (A,P) G GL&(F ? ) x S n , 

f (A,P)=A- l MP, ft(A,P)=A- l M*P. (1) 

Here and from now on, we identify each n x n permutation matrix as its corresponding permutation in S n . 
Apparently, AMP = M* if and only if (A~ ! ,P) is a shift from ft to ft. 

2.2 Reduction from the hidden shift problem to the hidden subgroup problem 

We present how to reduce the Hidden Shift Problem over group G to the HSP on the wreath product G I Z2, 
which can also be written as a semi-direct product G 2 x Z2 associated with the action of Z2 on G 2 in which 
the non-identity element of Z2 acts on G 2 by swapping, i.e., 1 • (x,y) = (y,x). 

Given two input functions ft) and ft for a Hidden Shift Problem on G, we define the function / : G 2 x 
Z 2 -> E x E as follows: for (x,y) E G 2 ,b E Z 2 , 
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\C/i«./oM) if»=l 

We want to determine the subgroup whose cosets are distinguished by /. Recall that a function / on a 
group G distinguishes the right cosets of a subgroup H < G if for all x,y G G, 

Definition. Let / be a function on a group G. We say that the function / is injective under right multiplica- 
tion if for all x,y G G, 

f{x)=f{y) <=> / ( 3 ;x- 1 )=/(l). 
Define the subset G|/ of the group G: 

G\ f * fe€G|/(g)=/(l)}. 

Proposition 1. Let f be a function on a group G. If f distinguishes the right cosets of a subgroup H < G, 
then f must be injective under right multiplication and G\f = H. Conversely, if f is injective under right 
multiplication, then G\f is a subgroup and f distinguishes the right cosets of the subgroup G\f. 

Hence, the function / defined in (O can distinguish the right cosets of some subgroup if and only if it is 
injective under right multiplication. 

Lemma 2. The function f defined in (ffj) is injective under right multiplication if and only if fo is injective 
under right multiplication. 

The proof for this lemma is straightforward on the case by case basis, so we omit it here. 

Proposition 3. Assume fo is injective under right multiplication. Let Hq = G|/ and s be a shift. Then the 
function f defined in © distinguishes right cosets of the following subgroup ofG 2 x Z2: 

G 2 x Z2I/ = ((H ( hS- l H s),0) U ((Hos^Hq), 1) 

which has size 2\Hq\ 2 . Recall that the set of shifts is Hqs. 

To find a hidden shift from the hidden subgroup K = G 2 x Z2I/, just select an element of the form 
((gi,g2), 1) from K, then g\ must belong to Hqs, which is the set of all shifts. 

In the case of Scrambler-Permutation problem. Back to the Hidden Shift Problem over G = GU(F 9 ) x 
S n reduced from the Scrambler-Permutation problem, it is clear that the input function f defined in CD is 
injective under right multiplication and that 

H = GU(F 2 ) x S n \ fo = {(A,P) G GU(F 2 ) x S„ : A- l MP = M] . 
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3 Quantum Fourier sampling (QFS) 
3.1 Preliminaries and Notation 

Fix a finite group G, abelian or non-abelian, and let G denote the set of (complex) irreducible representations, 
or "irreps" for short, of G. For each irrep p G G, let V p denote a vector space over C on which p acts so that 
p is a group homomorphism from G to the general linear group over V p , and let d p denote the dimension 
of Vp. For each p, we fix an orthonormal basis B p = |bi,. . . ,b^ p } for V p , in which we can represent each 
p(g) as a d p x d p unitary matrix whose j th column is the vector p(g)bj. 

Viewing the vector space C[G] as the regular representation of G, we can decompose C[G] into irreps as 
the direct sum pe gV p p . This has abasis {\p,i,j) : p G G, 1 < i,j < d p }, where {|p, i,j) | 1 < i < d p } is 
a basis for the j th copy of V p in the decomposition of C[G}. 

Definition. The Quantum Fourier transform over G is the unitary operator, denoted Fc, that transforms a 
vector in C[G] from the point-mass basis {\g} \ g G G} into the basis given by the decomposition of C[G]. 
For all g G G, 



where p(g)ij is the (/, j)-entry of the matrix p(g). Alternatively, we can view Fc\g) as a block diagonal 
matrix consisting of the block ^d p /\G\ p(g) for each p G G. 

Notations. For each subset X C G, define \X) = ( l /VW\)Y,xex !■*)> which is the state of uniformly random 
element of X in the point-mass basis. For each X C G and p G G, define the operator 



Fact. If X is a subgroup of G, then n£ is a projection operator. That is, (IT^)^ = n£ and (IT^) 2 = n£. 

Quantum Fourier Sampling (QFS) is a standard procedure based on the Quantum Fourier Transform to 
solve the Hidden Subgroup Problem (HSP) (see iTloh for a survey). An instance of the HSP over G consists of 
a black-box function / : G — > {0, 1 }* such that f(x) = f(y) if and only if x and y belong to the same left coset 
of H in G, for some subgroup H <G. The problem is to recover H using the oracle Of : \x,y) h-> \x,y(Bf(x)). 
The general QFS procedure for this is the following: 

1. Prepare a 2-register quantum state, the first in a uniform superposition of the group elements and the 
second with the value zero: = (Vv / N)LgeG \§) |0) • 

2. Query /, i.e., apply the oracle Of, resulting in the state 




and let X(p) denote the d p x d p matrix block at p in the quantum Fourier transform of |X), i.e., 






1 



1 



£ \aH)\f(a)} 



where T is a transversal of H in G. 
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3. Measure the second register of 1 ifo), resulting in the state \ccH) \f(a)) with probability 1 /\T\ for each 
a G T. The first register of the resulting state is then \aH) for some uniformly random a G G. 

4. Apply the quantum Fourier transform over G to the coset state \ccH) observed at step[3j 

F G \aH)= £ aH(p)ij\p,i,j) . 

peG,l<i,j<d p 

5. (Weak) Observe the representation name p. (Strong) Observe p and matrix indices 

6. Classically process the information observed from the previous step to determine the subgroup H. 

Probability distributions produced by QFS. For a particular coset aH, the probability of measuring the 
representation p in the state F G \ aH) is 

P aH (p) = \\^h(p)\\ 2 f = ^Tr( ( n^n^) = ^Tr(n^) 

where Tr(A) denotes the trace of a matrix A, and := -y/Tr(AtA) is the Frobenius norm of A. The last 
equality is due to the fact that Tl p aH = p{a)Tl p H and that IT^ is an orthogonal projector. 

Since there is no point in measuring the rows U, we are only concerned with measuring the columns. 



As pointed out in (1311, the optimal von Neumann measurement on a coset state can always be expressed in 
this form for some basis B p . Conditioned on observing p in the state Fq \ccH), the probability of measuring 
a given b G B p is ||a//(p)b|| 2 . Hence the conditional probability that we observe the vector b, given that 
we observe the representation p , is then 

\\a~H( P )bf _ ||n^b|| 2 _ Kb|| 2 



P aH {b I p) 



P aH {p) Tr(n£) Tr(n£) 



where in the last equality, we use the fact that as p (a) is unitary, it preserves the norm of the vector n^b. 

The coset representative a is unknown and is uniformly distributed in T. However, both distributions 
PaH^p) and (b | p) are independent of a and are the same as those for the state Fq \H). Thus, in Step [5] 
of the QFS procedure above, we observe p G G with probability Ph{p), and conditioned on this event, we 
observe b G B p with probability P#(b | p). 

If the hidden subgroup is trivial, // = {!}, the conditional probability distribution on B p is uniform, 



P{i}(*>\p: 



l n m b ' 
^(n p {l} ) 



3.2 Distinguishability by QFS 

We fix a finite group G and consider quantum Fourier sampling over G in the basis given by {B p }. For a 
subgroup H < G and for g G G, let H 8 denote the conjugate subgroup g~ l Hg. Since Tr (11^) = Tr (n^ g ) , 
the probability distributions obtained by QFS for recovering the hidden subgroup H g are 

^(p) = ^Tr(n£)=P ff (p) and Mb I p) = 
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As Phs(p) does not depend on g, weak Fourier sampling can not distinguish conjugate subgroups. Our 
goal is to point out that for certain nontrivial subgroup H < G, strong Fourier sampling can not efficiently 
distinguish the conjugates of H from each other or from the trivial one. Recall that the distribution Pu\ (• | p) 
obtained by performing strong Fourier sampling on the trivial hidden subgroup is the same as the uniform 
distribution Ub p on the basis B p . Thus, our goal can be boiled down to showing that the probability distribu- 
tion Phs{- I p) is likely to be close to the uniform distribution Ub p in total variation, for a random g G G and 
an irrep p G G obtained by weak Fourier sampling. 

Definition. We define the distinguishability of a subgroup H (using strong Fourier sampling over G), de- 
noted Sin, to be the expectation of the squared Li-distance between P#s(- | p) and Ub p - 

®h ^ E p , g [\\P m (-\p)-U Bp \\l] , 

where p is drawn from G according to the distribution Ph(p), and g is chosen from G uniformly at random. 
We say that the subgroup H is indistinguishable if 3>h < log _Q) ^^ \G\. 

Note that if is small, then the total variation distance between P#s(- | p) and Ub p is small with high 
probability due to Markov's inequality: for all e > 0, 

Pr,[||P„ s (. | P )-U Bp \\ t ., > e/2] =Pr g [||P# s (- | p)-U Bp \\j > e 2 ] < & H /e 2 . 
In particular, if the subgroup H is indistinguishable by strong Fourier sampling, then for all constant c > 0, 

\\Pm(- \p)-U Bp \\ t .v. <log~ c |G| 

with probability at least 1 — logf c \G\ in both g and p. Indeed, our notion of indistinguishability is inspired 
by that of Kempe and Shalev |7|]. Focusing on weak Fourier sampling, they say that H is indistinguishable 
if ||P // (-)-P { i } (-)lk,<log- a) W|G|. 

Our main theorem below will serve as a general guideline for bounding the distinguishability of H. For 
this bound, we define, for each a G G, the maximal normalized character of G on H as 

/tj\ dcf \Xa\h)\ 

Xn{H) = max -. 

AaK ' heH\{\} d a 

For each subset S C G, let 

Xs( H ) = max X a ( H ) and d s = max^ . 

aed\S aeS 

In addition, for each reducible representation p of G, we let I(p) denote the set of irreps of G that appear in 
the decomposition of p into irreps. 

Theorem 4. (Main Theorem) Suppose S is a subset of G. Let D > d\ and L = L D <ZG be the set of all 
irreps of dimension at least D. Let 

A = A 5L = max|Sn/(p<g>p*)|. (3) 
peL 1 1 

Then the distinguishability ofH is bounded by 

* IIID 2 



^<4|//| 2 (^)+A§ + ^- 



8 



Intuitively, the set S consists of irreps of small dimension, and L consists of irreps of large dimension. 
Moreover, we wish to have that the size of S is small while the size of L is large, so that most irreps are likely 
in L. In the cases where there are relatively few irreps, i.e. |5| <C D and \G\ <C \G\, we can simply upper 
bound A by \S\ and upper bound \L\ by |G|. 

We discuss the proof of this theorem in Section [5] 



4 Applications 

In this section, we point out some applications of Theorem @] to analyze strong Fourier sampling over certain 
non-abelian groups. 



4.1 Strong Fourier sampling over S n 

In this part, we consider the case where G is the symmetric group 5 n . Recall that each irrep of S n is one- 
to-one corresponding to an integer partition A = (Ai, %i, . . . , A,) of n, which is associated with the Young 
diagram of t rows in which the / row contains A, columns. The conjugate representation of A is the irrep 
corresponding to the partition A' = (A{, A£, . . . , X' t , ), which is obtained by flipping the Young diagram A 
about the diag onal. In particular, A[ = t and t' = h. 

As in tlJ, we use Roichman's upper bound Biol on normalized characters. 

Theorem 5 (Roichman's Theorem [16]). There exist constant b > and < q < 1 so that for n > 4, for 
every % G S n , and for every irrep A ofS n , 



< I max ( q 



Ai X[ 



n n 



fo-supp(Tr) 



where supp(7l) =#{k £ [n] \ n(k) / k} is the support of '%. 

This bound works well for unbalanced Young diagrams. In particular, for a constant < c < 1/4, let 
A c denote the collection of partitions A of n with the property that either ^ > 1 — cor-^->l — c, i.e., the 
Young diagram A contains at least (1 —c)n rows or contains at least (1 — c)n columns. Then, Roichman's 
upper bound implies that for every % G S„ and A g* A c , and a universal constant a > 0, 



< g-«-supp(?r) _ 



(4) 



On the other hand, both_|A c | and the maximal dimension of representations in A c are small, as shown in the 
following Lemma of 11 3il . 



Lemma 6 (Lemma 6.2 in tl3D). Let p{n) denote the number of integer partitions of n. Then \A C \ < 2cn ■ 
p(cn), and d^ < n cn for any }X G A c . 

To give a more concrete bound for the size of A c , we record the asymptotic formula for the partition 



function p(n) pg. 45]: p(r 



/ 3 /(4v / 3« 



„o(v^)„-i 



as n 



Now we are ready to prove the main result of this section, which is another application of Theorem |4] 

Theorem 7. Let H be a nontrivial subgroup of S„ with minimal degree m, i.e., m = min^^m supp(7i). 
Then for sufficiently large n, < 0(\H\ 2 e~ am ). 
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Proof. Let 2c < d < 1/2 be constants. We will apply Theorem [4] by setting S = A c and D = n dn . The 
condition 2c < d guarantees that D > d\, since d$ < n cn by Lemma[6] 

First, we need to bound the maximal normalized character Xs(H). By (01), we have X^{H) < £~ am for 

all n e S„ \S. Hence, J^H) < e - am . 

To bound the second term in the upper bound of TheoremHJ as A < \S\, it suffices to bound: 

d 2 n 2cn 
\S\ ■ -^j < 2cn ■ p(cn) ■ ( by Lemma© 

< e ^ ■ n {2c - d)n ( since cn ■ p(cn) = e ^ ) 

< n~ yn j2 for sufficiently large n, so long as 7 < d — 2c. 



Now bounding the last term in the upper bound of Theorem |4j 

- J rh~ < ^ ( smce \ l d\ < S n = p{n)) 

\Sn\ nl 

e O(s/n) n 2dn 

< (n! > n"e~" by Stirling's approximation) 

n"e " 

< e O(n) n (2d-\)n 

< n~ yn /2 for sufficiently large n, so long as 7 < 1 — 2d. 



By TheoremU @H < 4\ H \ 2 (e~ am +rr^) . 

□ 



Theorem |7] generalizes Moore, Russell, and Schulman's result IU3I1 on strong Fourier sampling over S n , 
which only applied in the case \H\ = 2. To relate our result to the results of Kempe et al. |80 observe that, 
since log|5„| = &(n\ogn), the subgroup H is indistinguishable by strong Fourier sampling if \H\ 2 e~ am < 
equivalently, if m > (2/a)log \H\ + ft)(log«). 



4.2 Strong Fourier sampling and the McEliece cryptosystem 

Our main application of Theorem @] is to show the limitations of strong Fourier sampling in attacking the 
McEliece cryptosystem. Throughout this section, we fix system parameters n,k,q of the McEliece cryp- 
tosystem, and fix a k x n generator matrix M in a private-key of the system. Recall that the known possible 
quantum attack against this McEliece cryptosystem involves solving the HSP over the wreath product group 
(GL;t(F 9 ) x S n ) 1 112 with the hidden subgroup being 

K = {{H Q ,s- l H QS ),Q) U ((H s, S - y H ), 1) (5) 

for some hidden element s G GLj c (¥ q ) x 5 n . Here, Hq is a subgroup of GU(F^) x S n given by 

Hq = {(A,P) e GU(F 2 ) x S n :A- l MP = M} . (6) 

Let Aut(M) denote the automorphism group of the linear code generated by M. Observe that every 
element (A,P) € Hq must have P G Aut(M). This allows us to control the maximal normalized characters 
on K through the minimal degree of Aut(M). Then applying TheoremHJ we show that 
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Theorem 8. Assume c/ 2 < n an for some constant < a < 1/4. Let m be the minimal degree of the automor- 
phism group Aut(M). Then for sufficiently large n, the subgroup K defined in (J5J) has 3>k < 0(\K\ 2 e~ Sm ) , 
where 8 > is a constant. 

The proof of Theorem [8] follows the technical ideas discussed in the Introduction. The details appear in 
S ection 1] As q kl < n a " , we have log | ( G L k (¥ q ) x S n ) I Z 2 \ = O (log n ! + log ) = O (n log n) . Hence, the 
subgroup i^is indistinguishable if \K\ 2 e~ 5m < {n\ogn)~ m ( l \ 

In general, the size of the subgroup K depends on the size of the automorphism group Aut(M) and the 
column rank of the matrix M. To see this, we have \K\ =2|# | 2 , and \H \ = |Aut(M)| x |Fix(M)|, where 
Fix(M) denotes the set of matrices in GL^(F 9 ) fixing M, i.e., 

Fix(M) = {S e Gl k (¥ q ) | SM = M) . 

To bound the size of Fix(M), we record an easy fact which can be obtained by the orbit-stabilizer formula. 

Fact. Let r be the column rank of M. Then |Fix(M)| = (q k - q r )(q k -q r+l ) . . . (g*- q k ~ l ) < q k{k ~ r) . 

Proof. WLOG, assume the first r columns of M are linearly independent, and each remaining column is a 
linear combination of the first r columns. Consider the action of GLt(¥ q ) on the set of k x n matrices over 
Fg. Under this action, the orbit of the matrix M, denoted Orb(M), consists of all k x m matrices over F q such 
that the first r columns are linearly independent, and each j th column, for j > r, consists of the same linear 
combination of the first r columns as that of the / h column of the matrix M. Hence, the size of Orb(M) 
equals the number of k x r matrices over F q of column rank r. Thus, Orb(M) = {q k — \){q k — q) . . . (q k — 
q'~ y ). On the other hand, Fix(M) is the stabilizer of M. By the orbit-stabilizer formula, we have 

ltlHM)l ~ |Orb(M)| (q k -l)(q k -q)...(q k -q r - 1 ) W 9 M * 9 '' 

□ 

Corollary 9. Assume q kl < n° ln and the automorphism group Aut(M) has minimal degree Q.(n). Let r be 
the column rank ofM. Then the subgroup K defined in ® has S^k < |Aut(M)| 4 ^ 4 * : (* :_ ' ^ _il ("^. In particular, 
the subgroup K is indistinguishable if further, |Aut(M)| < e"^ and r>k — o(ifn). 

In the a case that the matrix M generates a rational Goppa code, then M has full rank and the auto- 
morphism group Aut(M) is isomorphic to a subgroup of the projective linear group PGI_2(F 1? ), provided 



2 < k < n — 2, by Stichtenoth's Theorem 12111 (see Appendix IB] for more detailed background on rational 
Goppa codes). This important property results in very good values we could desire for the automorphism 
group Aut(M): we have |Aut(M)| < |PGI_2(F 9 )| < q 3 , and moreover, 

Lemma 10. IfM generates a rational Goppa code, the minimal degree of Aut(M) is at least n — 3. 

Proof, (sketch) Since Aut(M) is isomorphic to a subgroup of PGL^(F ? ), the proof is based on the obser- 
vation that any transformation in PGL^(F 9 ) that fixes at least three distinct projective lines must be the 
identity. □ 

By Corollary |£l the McEliece crytosystem coupled with rational Goppa codes resists known quantum 
attacks based on strong Fourier sampling. Unfortunately, this cryptosystem is insecure due to the classical 
attack by Sidelnokov and Shestakov [190 that recovers the secret scrambler A and the product MP, but does 
not reveal the secret permutation P. Of course, our next goal will be to find other classes of linear codes 
with which the McEliece cryptosystem would be secure against both classical and quantum attacks. 



11 



4.3 Strong Fourier sampling over GI_2(F 9 ) 

In this simple application, we consider the finite general linear group G = GL 2 (F< ? ), whose structure as 
well as irreps are well established §5.2]. From the character table of GI_2(F 9 ), which can be found in 
Appendix we draw the following easy facts: 

Fact. Let o be an irrep of GL 2 (F g ). Then (i) For all g G GI_2(F 9 ), = d a if g is a scalar matrix, and 

|y£ff(g)| < 2 otherwise, (ii) If d a > 1, then q— l<d a <q+l. 

Let H be a subgroup of GI_2(F 9 ). If H contains a non-identity scalar matrix, we have ~% a {H) = 1 for all a, 
making it impossible to find a set of irreps whose maximal normalized characters on H are small enough 
to apply our general theorem (Theorem [4]). For this reason, we shall assume that H does not contain scalar 
matrices except for the identity. An example of such a subgroup H is any group lying inside the subgroup 

of triangular unipotent matrices {T(b) \ b G F^}, where T(b) := ^ ^ 

From the easy facts above for GL(2,g), it is natural to choose the set S in Theorem @] to be the set of 
linear (i.e., 1 -dimensional) representations, and choose the dimensional threshold D to be q— 1. However, 
since GL(2,g) has q — 1 linear representations, i.e., |5| = D, we can't upper bound A by \S\. We prove the 
following lemma to provide a strong upper bound on A, which is, in this case, the maximal number of linear 
representations appearing in the decomposition of p ® p*, for any nonlinear irrep p. 

Lemma 11. Let p be an irrep of GL(2,q). Then at most two linear representations appear in the decompo- 
sition of p <g>p*. 

The proof for this lemma can be found in Appendix O Then applying Theorem @] with S being the set 
of linear representations, and L being the set of non-linear irreps of GL2(F ? ), we have: 

Corollary 12. Let H be a subgroup of GI^F^) that does not contain any scalar matrix other than the 
identity. Then S> H < 2S\H\ 2 /q. 

Proof of Corollary [72] Let 5 be the set of linear representations of GI_2(F ¥ ) and let D = q — 1. Then in this 
case, Ld is the set of all non-linear irreps of GI_2(F t/ ). 

Since ~% a (H) < 2/(q — 1) for all nonlinear irrep a, we have 

Xs(H) < 2/ (q- I) < 0.5 /\H\. 

To bound the second term in the bound of |4j we have A < 2 by Lemma ITTI and d$ = 1, thus 

< 2/( 9 - 1)< 3/ 9 . 



As \G\ = (q— l) 2 q(q+ 1) and \Lp\ = \S\ = q — I, we have 

\L^\D 2 (q-l) 3 q-\ 



<l/q. 



\G\ (?-l) 2 ?(?+l) q{q+l) 

By Theorem H 9 H < 4 \H \ 2 (7/q) . □ 

In particular, H is indistinguishable by strong Fourier sampling over GL 2 (F 9 ) if \H\ < q s for some 
8 < 1/2, because in that case we have < 28g 25 ~ 1 < log~ c |GI_2(F 9 )| for all constant c > 0. 
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Examples of indistinguishable subgroups. As a specific example, consider a cyclic subgroup Hj, gener- 
ated by a triangular unipotent matrix T(b) for any b / 0. Since T(b) k = T(kb) for any integer k > 0, the 
order of Hb is the least positive integer k such that kb = 0. In particular, the order of Hb equals the character- 
istic of the finite field ¥ q . Suppose q = p" for some prime number p and n > 2. Then ¥ q has characteristic 
p, and hence, \Hi,\ = p. By Corollary [T2l we have &u b < 0(p 2 ~ n ). 

Similarly, consider a subgroup H a b generated by two distinct non-identity elements T(a) and T(b). 
Since elements of H a j, are of the form T{ka + £b) for k, £ € {0, 1, ... ,p— 1}, we have < p 2 . Thus, 
the distinguishability of H a p using strong Fourier sampling over GL2(F p «) is 0(p 4 ~"). Clearly, both H b and 
fla^ are indistinguishable, for n sufficiently large. More generally, any subgroup generated by a constant 
number of triangular unipotent matrices is indistinguishable. 



5 Bounding distinguishability 

We now present the proof for the main theorem (Theorem[4]) in details. Fixing a nontrivial subgroup H < G, 
we want to upper bound 3$h- Let us start with bounding the expectation over the random group element 
g € G, for a fixed irrep p G G: 

E H (p) ^ E g [\\P Hg (.\p)-U Bp \\j]. 
Obviously we always have En{p) < 4. More interestingly, we have 



E H (p) = E g 



< E„ 



,beB 



P HS {*>\P) 



d p £ Var g [ife(b|p)] 



beB 



d p £ (p Hg (b\p)--L) 
beB V a pJ 



(by Cauchy-Schwarz) 



(since E g [P w (b|p)] = — ) 



£ Va % [||n^ s b» 2 



(7) 



The equation E i; [/ 5 //g(b | p)] = l/d p (Proposition [T8lin Appendix lAl) can be shown using Schur's lemma. 

From (0, we are motivated to bound the variance of ||n^ g b|| 2 when g is chosen uniformly at random. 
We provide an upper bound that depends on the projection of the vector b (g> b* onto irreducible subspaces 
of p ®p*, and on maximal normalized characters of a on H for all irreps a appearing in the decomposition 
of p <g> p*. Recall that the representation p (g> p* is typically reducible and can be written as an orthogonal 
direct sum of irreps p <8>p* = ©^gOdC. where a CT > is the multiplicity of a. Then /(p (g) p*) consists of 

a with fl^ > 0, and we let n p T 0p denote the projection operator whose image is a a o, that is, the subspace 
spanned by all cop ies of a. Our upper bound given in Lemma [T3l below generalizes the bound given in 
Lemma 4.3 of 11311 . which only applies to subgroups H of order 2. 

Lemma 13. Let p be an irrep of G. Then for any vector b € V p , 



Var,[||n>|| 2 ]< £ Xo(H) 

ael(p0p*) 



n 



b®b* 
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Proof of Lemma\T3\ Fix a vector b G V p . To simplify notations, we shall write Yl g as shorthand for n^ g , and 
write gb for p(g)b. For any g G G, we have 

||n,b|| 2 = (n,b,n,b) = (b,n g b) 



l^((b,b)+ £ (b,g- l hgb)). 



Let S g = L*6H\{i} (b,g ^igb). Then 



in„bi 



l#l 



|b|| 2 + 5„) and S e = |#|||IL,b| 



It follows that So is real, and that 



We have 



l n ? b l| 4 = 42(ll b l| 4 + 2 H b ll% + ^)- 



Ejiin.bii 4 ] 



iE,[l|n g b|| 2 ] 



Subtracting ® by © yields 



— (||b|| 4 + 2||b|| 2 E g [S g ]+E g [S 2 ]) 
^(||b|| 2 + E,[S g ]) 2 
* (||b|| 4 + 2||b|| 2 E g [S g ] + E g [S g ] : 



Var,[||n,b|| 2 ]=E,[||n,b|| 4 ]-IE[||n,b|| 2 ] 



(8) 



(9) 



To bound the variance, we upper bound 5 2 for all g G G. Since S g is real, applying Cauchy-Schwarz inequal- 
ity, we have 



£ (b,g- l hgb) 

heH\{l} 



<(l 



h\-i)( £ Kb^-^b)) 2 ) 

\heH\{l} J 



Proving similarly to Lemma 4.2 in jl3h . one can express the second moment of the inner product 
(b,g~ l hgb) in terms of the projection of b(S>b* into the irreducible constituents of the tensor product 
representation p (g> p*. Specifically, for any h G G, we have 



E g [| (b^-^gb) 



CTG/(p®p*) 



nf'fb^b* 



It follows that 



Var g [||n^b|| 2 ] < 



heH\{\] 



b,g- l hgb) 



< £ n^ p (b®b*) 

fje/(p®p*) 



□ 
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Back to our goal of bounding En{p) using the bound in Lemma[[3l the strategy will be to separate irreps 
appearing in the decomposition of p <g>p* into two groups, those with small dimension and those with large 
dimension, and treat them differently. If d a is large, we shall rely on bounding ~% a (H). If d a is small, we 



shall control the projection given by n p 7 ® p using the following lemma which was proved implicitly in M13H 
(its proof is also given in Appendix): 

Lemma 14. For any irrep o, we have £beB 



<di. 



The method discussed above for bounding £j/(p) is culminated into Lemma [T5l below. 
Lemma 15. Let p £ G be arbitrary and S C G be any subset of irreps that does not contain p. Then 



E H (p) < 4\H\ 2 (xs(H) + |Sn/(p <8>p*)| ^ 



Proof of Lemma [771 Combining Inequality {/J) and Lemmas [T3l give 

d n 



E H {P) < 



Tr(n£)2 



beB 



n 



(b®b* 



Now we split additive items in the above upper bound into two groups separated by the set S. For the first 
group (large dimension), 



aesnGP^p" heB p 



n 



p«>p* 



'b®b* 



beBp oel(p®p* 



n p ® pt (b®b* 



<i 



<X- s (H)d p . 



For the second group (small dimension), 



aesn/(p®p*) beB p 



nf p *(b®b* 



< 



oesni(p®p*) 



< \sni(p®p*)\dj. 



(by LemmaO 
(since % a {H) < 1) 



Summing the last bounds for the two groups yields 

2 



E H (p) < 



( d p 



VTr(n p ; 



Xs(H) + \sni( P ®p*)\-f- 
a p 



On the other hand, since £//(p) < 4, we can assume H 2 %-g(H) < 1, and thus Xs(H) — — 2pT - Hence, 
we have 



Tr(nj)_ 1 



heH\{l} 



X P (h) \ 



1 , x 1 

> Wl -X P (H)> 



2\H\ ' 



where the last inequality is due to % p {H) < Xs(H) < 2[h\- This completes the proof. 



□ 
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To apply this lemma, we should choose the subset S such that d\ <C <i p , that is, S should consist of small 
dimensional irreps. Then applying Lemma IT31 for all irreps p of large dimension, we can prove our general 
main theorem straightforwardly. 

Proof of Theorem® For any p G L, since d p > D > dj, we must have p G" S. By Lemma IT31 

E H (p)<A\H\ 2 {x- s {H) + A d ^j for all peL. 
Combining this with the fact that Eh (p) < 4 for all p L, we obtain 

0* = E p [£ ff (p)] < 4|tf| 2 (xs(H)+A^) +4Pr p [p 0L] . 
To complete the proof, it remains to bound Pr p [p L\. Since Tr(IT^) < J p , we have 

P(p) = ^Tr(^)<^ |//| 



|G| v - |G| 
Since d p <D for all p G G \ L, it follows that 

r i V- / s Pl^l^l \L\D 2 \H\ 2 

Pr p [p 0L] = £ P(p) < 1 ' ' < ' ' | ' ' 
p ?l \ G \ \ G \ 



□ 



6 Strong Fourier sampling over (GL^(F 9 ) x S n )l Z2 

This section devotes to the proof of Theorem [8] which establishes the limitation of strong Fourier sampling in 
breaking the McEliece cryptosystem. The goal is to bound the distinguishability of the subgroup K denned 
in © of the wreath product (GU(F 9 ) x S n ) I Z 2 . 

6.1 Normalized characters for G I Z2 

Firstly, we consider quantum Fourier sampling over the wreath product G?Z 2 , for a general group G, with a 
hidden subgroup of the form 

K=((Ho,s- 1 H s),0)U((H Q s,s- l Ho),l) <GlZ 2 

for some subgroup Hq < G and some element s G G. Again, the first thing we need to understand is the 
maximal normalized characters on K. Recall that all irreducible characters of G I Z 2 are constructed in the 
following ways: 

1. Each unordered pair of two non-isomoiphic irreps a,p G G gives rise to an irrep of G?Z 2 , denoted 
{p, a}, with character given by: 



x P (x)xa (y) + x P {y)Xa (*) if b = o 

if 6 = 1. 



X{ P ,a}({x,y),b) : 

The dimension of representation {p, a} is equal to #{ P , CT }((1, 1),0) = 2d p d a 
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2. Each irrep p G G gives rise to two irreps of GIZ2, denoted {p} and {p}', with characters given by: 

X{ P }((x,y),b) 



Xp(x)x P (y) ttb = o 

X p {xy) if Z> = 1 



X {p y((x,y),b) 



Xp{x)x P {y) if* = o 
k -%»(*y) if & = i. 

Both representations {p} and {p}' have the same dimension equal dl. 



Clearly, the number of irreps of Gils is equal to |G| 2 /2 + 3|G|/2, which is no more than \G\ 2 as long as 
G has at least three irreps. Now it is easy to determine the maximal normalized characters on subgroup K. 

Proposition 16. For non-isormorphic irreps p , a G G, 

X {p ,a } (K)<X P (Ho)Xo(H ). 

For irrep p G G, 



*{p} (*) = *{ P }' (*) = max {*p (^o) 2 , 1 1 dp } 



So to bound the maximal normalized characters over K, we can turn to bounding the normalized charac- 
ters on the subgroup Ho and the dimension of an irrep of G. 

6.2 Normalized characters for (GL^(F 9 ) x S n ) I Z2 

Recall that for the case of attacking McEliece cryptosystem, we have G = GL^(F 9 ) x S„ and every element 
(A,P) G Hq has P G Aut(M). 

For t G GLjt(F ? ) and A G S n , let t x A denote the tensor product as a representation of GU(F ? ) x S n . 
Those tensor product representations % x A are all irreps of GL#(F ? ) x S„. Since Xrxk (^j 7r ) = X~i(Sn)x~x ( n ) 
and Xt(Sti) < 1 for all 7T G 5 n , we have 

Z T xA(^o)<A 7 A(Aut(M)). 

As in the treatment for the symmetric group, we can bound the maximal normalized character ^ ( Aut(M) ) 
based on the minimum support of non-identity elements in Aut(M), for any X G S„ \A C . 

To complete bounding the maximal normalized characters on the subgroup K, it remains to bound the 
dimension of a representation % x A of the group GLj^F^) x 5„ with A G 5„ \ A f . Since the dimension of 
T x A is 

d-cxi = d x dx > dx , 

we prove the following lower bound for dx ■ 

Lemma 17. Let < c < 1/6 be a constant. Then there is a constant jS > depending only on c such that 
for sufficiently large n and for A G S„ \ A c , 

d k >eP\ 
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Proof of Lemma \T7\ Consider an integer partition of n, X = (X\ , . . . , Xt), with both X\ and t less than (1 — c)n. 
Let X' = (X[,... ,X'^) be the conjugate of X, where t = X[ > X^ > . . . > X'^ and £ ; X[ = n. WLOG, assume 
X[ < X\. We label all the cells of the Young diagram of shape X as ci, . . . ,c n , in which c,- is the z' th cell from 
the left of the first row, for 1 < i < X\ . 

The dimension of X is determined by the hook length formula: 



where hook(c,) is the number of cells appearing in either the same column or the same row as the cell a, 
excluding those that are above or the the left of c,. In particular, 

hook(c,) = X\ — i + X[ for 1 < i < X\. 

If X\ < cn, we have hook(c,) < t + X\ < 2cn for all i, thus 

n\ ri l > (3\ n > pn 

X ~ (2cn)" ~ e n (2cn)" ~\e) ~ € 

Now we consider the case cn < X\ < ( 1 — c)n. Let X = (Xz, ...,Xt), this is an integer partition of n — Xi 
whose Young diagram is obtained by removing the first row of X. Applying the hook length formula for X 
and the fact that > 1 gives us: 

(n — XiV 

Hook{X) = V V ' <{n-X x )\. 
X 

Then we have 

Hook(A) =Hook(X)f[hook(c;) < [n - Xi) ! f]hook(c ; ) . 

(=1 i=l 

On the other hand, we have 

f[hook(c i )=f[(X l -i + X!) 

i=l i=l 

X 



( h x' - 1 \ 

< Ai ! exp V — '- (since 1 + x < e x for all x). 

\i =l Xi-i+\J 

To upper bound the exponent in the last equation, we use Chebyshev's sum inequality, which states that for 
any increasing sequence a\ > a2 > . . . > a^ and any decreasing sequence h\ < b2 < ■ . ■ < b\ or real num- 
bers, we have fc^Li a/6/ < (LLi a i) (L/=i ^/). Since the sequence {A/ — 1} is increasing and the sequence 
{ l/(Ai — i + 1)} is decreasing, we get 

ft A/-1 < £| i (A/-l) /^ l \ 
^Ai-/+l- Xy LttAj-z + lJ 



(since X\ > cn) . 
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Let r be a constant such that 1 < r/c < cn. Bounding l/i < 1 for all i < r/c and bounding l/i < c/r for all 
i > r/c yields 



j" n y 



Putting the pieces together, we get 



-XUr-r/c 2 



dk ~ {n-h)\XM'l r+r ' c2 U 



,-1/r 



A, 



> I £ j— e- r/c2 (since X x < (1 - c)n) . 



Let < 8 < In be a constant and choose r large enough so that e l ' r > (1 — c)e 5 . Then 

□ 



Remark The lower bound in Lemma[T7]is essentially tight. To see this, consider the hook of width ( 1 — c)n 
and of depth cn. This hook has dimension roughly equal ("), which is no more than (e/c) cn . 

6.3 Proof of Theorem i 

We are ready to prove Theorem [8] 

Proof of Theorem^ To apply Theorem 01 let < c < min{l/6, 1/4 — a} be a constant and S be the set 
of irreps of (GU(F^) x S n ) lZ 2 of the forms {t x A, 17 x jj.}, {x x A}, {t x A}' with t,T] G GU(F 9 ) and 
A,jU 6 A c , where A c is mentioned in Section |4~T1 Firstly, we need upper bounds for Xs(K), \S\, and ds- 
Since Aut(M) has minimal degree m, by Inequality (01) in Section |4~T1 we have for all A € 5,, \ A c , 

Xx(Axxt(M))<e- am . 

Combining with Lemma [T71 yields 

Xs( K ) ^ mnx{e- 2am ,e- p "} < e' 5 " 
for some constant 8 > (we can set 8 = min{2a,j8}). 



Since 



GL t (F 9 ) <\Gl k (¥ q )\<q k andbyLemmaH we have 



\S\ < 



GU(F 9 ) 



2 \A c \ 2 < q 2k2 e ^ 



To bound ds, we start with bounding the dimension of each representation in S. A representation {t x A, T] x ju} 
in 5 has dimension 

Id^xd-^y.^ = Idxdxd-qdp, < 2d x d n n 2cn < 2(f n 2cn , 
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where the first inequality follows Lemma[6] The last inequality holds because d 2 < L pGG ^f ^ d 2 = \ GLk(¥ q )\ 

for any x G GL^F^). Similarly, a representation {x x A} or {t x A}' in S has dimension d 2 xl < q k2 n 2cn . 
Hence, the maximal dimension of a representation in the set S is 

d s < 2q k2 n 2cn . 

Let 4a + Ac < d < 1 be a constant and let j\ be any constant such that < J\ < d — Ac — Aa. Now we set the 
dimension threshold D = n dn . From the upper bounds on \S\ and ds, we get 

\S\ d l<Aa Akl e 0{ ^n^- d > 
D ~ 

< 4 e O(V^) n (4a+4c-d)n (sinc£ J? < ^ 

< for sufficiently large n. 



Let L be the set of all irreps of (GLj^F^) x S n )l TL 2 of dimension at least D. Bounding \L\ by the number 
of irreps of (GU (F 9 ) x S n ) I Z2, which is no more than square of the number of irreps of GL^F^) x S n , we 
have 



LI < 



Gl k (¥ q ] 



<|GU(F,)| 2 /7(«) 2 . 



Hence, for sufficiently large n, 



\L\D 2 


- < - 


GU(F 9 ) 


P( 


n) 2 n M " 


\(Gl k (¥ q )xS n )lZ 2 


2 


(GU( 




2 15 I 2 



2(n!) 2 



0{sJn)Jldn 



< 



2 n 2n e -2n 

< e O{n) n 2{d-l)n < B -,w SQ long as ^ < 2(1 -</). 

By Theorem HI we have 

^ < 4|AT| 2 (e" 5m + «" ri " + n-*- n ) < A\K\ 2 ( e - Sm + b - '*) , 
for some constant 7 > 0. This completes the proof. 



□ 
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Appendices 



A Supplemental proofs for the main theorem 

Proposition 18. Let H < G and g be chosen from G uniformly at random. Then for p £ G and b £ B p , 

E g [P HS (b\p)] = \/d p . 

Proof. Schur's lemma asserts that if p is irreducible, the only matrices which commute with p(g) for all g 
are the scalars. Hence, 



which implies that 



E g [||np>|| 2 ] 



\G\ geG dp 



■E,[<b,n»] = (b,E,[n^]b) 



TrK) 



□ 



A.l Proof of Lemma [14] 

Proof of Lemma[[4\ Let L a be the subspace of p ®p* consisting of all copies of a. Since B p is orthonormal, 
the vectors {b <8> b* | b £ B p } are mutually orthogonal in p (g> p*. Thus, 



£ nf p *(b®b*) 



bGB 



< dimLfj . 



Note that dimL CT is equal to d a times the multiplicity of a in p <g> p*. On the other hand, we have 

multiplicity of a in p ®p* = <£ CT ,Zp*p*} = (XaX P ,X P *) 

= multiplicity of p* in a <S) p 
dim(a(g>p) 



< 



dimp* 



Hence, 



£ rC p (b®b*) 



□ 



B Rational Goppa codes 

This part summarizes definitions and key properties of rational Goppa codes that would be useful in our 
analysis. Following Stichtenoth 12111 . we shall describe Goppa codes in terms of algebraic function fields 
instead of algebraic curves. A complete treatment for this subject can be found in j22ll . 
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A rational function field over ¥ q is a field extension ¥ q (x) /¥ q for some x transcendental over ¥ q . Each 
element z G ¥ q {x) can be viewed as a function whose evaluation at a base field element a G ¥ q is determined 
as follows: write z = f{x)/g{x) for some polynomials f(x),g{x) G ¥ q [x], then 



Z(a 



^e¥ q ifg(a)^0 



I °° if g(a) = 0. 

A Rieman-Roch spacJ^ in the rational function field ¥ q (x) /¥ q is a subset of ¥ q of the form 

'/(*)*(*) 



/(jc)€F ? [jc], deg/(je)<r 



for some nonzero polynomials g(x),/i(x) G £|jc] and some integer r. Note that j£? (r,g,h) is a vector space of 
dimension r + 1 over ¥ q . 



Definition. (A special case of Definition 2.2.1 in 02211 ') Let g(x),h(x) G F 9 [jc] be nonzero coprime polyno- 
mials, and let r < n a nonnegative integer. Let y\ , . . . , J n be n distinct elements in the fieldj ¥ q such that 
g(y) / and h(ji) ^ for all i. Then a rational Goppa code associated with g,h and y/s is defined by 

^(y,,...,^,^,/*) d = f {( z (Yi),...,z(7n))\zeJ?(r,g,h)}c¥ n q . 

Remark A classical binary Goppa code can be obtained by setting q = 2 m , r = n — degg(*) — 1, and 
h[x) = Y!}=\ Tl#j{ x ~ Yi) an< i tnen intersecting the code ^(yi, . . . ,y n ,r,g,h) with the vector space (see 
111]). Generalized Reed-Solomon codes are a special case of rational Goppa codes in which the polynomials 
g{x) and h(x) are both constants. 

Theorem 19. (A special case of Corollary 2.2.3 in izj/ ) The code defined in Definition \B\ is an [n,k,d]- 
linear code over ¥ q with dimension k = r + 1 and minimum distance d >n — r. Consequentially, this code 
can correct at least {n — r— l)/2 errors. 

The rational Goppa code ^(yi, ■ ■ ■ ,y n ,r,g,h) has a generator matrix: 



M Q = 


/ ?(7i) 

f h( 7l ) ■ 

7 lft(7i) • 


g(Yn) \ 

■ Kr») 

v g(Yn) 

■ hh{y n ) 









Proposition 20. The matrix Mq has full rank, that is, its column rank equals r + 1. Hence, every generator 
matrix of a rational Goppa code has full rank. 



4 In terms of algebraic function fields, a Rieman-Roch space is defined in the association with a divisor of the function field F/K, 
where a divisor is a finite sum Y,i n iPi with n i £ 2 and Pf's being places of the function field. In the rational function field K(x)/K, 
we can show that every divisor can be written as rP„ + (z) for some integer r and some nonzero z £ K(x), where P x is the infinite 
place (defined in f22l pg. 9]), and (z) is the principal divisor of z- The space J^(r,g,h) is indeed the Rieman-Roch space associated 
with the divisor rfto + (z) with z = h(x) /g(x). 

5 In the case r = degh(x) — degg(x), one can choose one of the points Pi's to be °°. However, we rule out this case to keep the 
discussion simple. 
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Proof. It suffices to to show that the first r + 1 columns of Mq are linearly independent. Equivalently, we 
show that the matrix Nq below has nonzero determinant: 



^0 = 


/ g(7i) 

mi • 

n/i(n) • 


g(7r+l) 
KYr+l) 
v g(7r+0 




\nmj ' 


•■ / ''+lM7,+i) 



/I 

Vrl" 



1 \ /g(7i) 



7 r +i 



V 



\ 



g(7r+l, 

Mrr+i)/ 



The first matrix in the above product is a Vandermonde matrix, which has nonzero determinant because y-'s 
are distinct. The second matrix also has nonzero determinant because g(y) / for all i. Hence, Nq has 
nonzero determinant. □ 

An important property of rational Goppa codes is that in general their automorphisms are induced by 
projective transformations of the projective line. We will make this precise below. 



Definition. (See 11231. pg. 53]) Let C be a code of length n. An automorphism of C is a permutation % G S n 
which maps every word in C to a word in C by acting on the positions of the codewords. The set of all 
automorphisms of C forms a group called the automorphism group of C. 

In particular, an automorphism of ^(71 , . . . , y n , r, g,h) is a permutation 71 G S n such that 

^(7i ,---,%,r,g,h)= . . . , Yw{n) ,r,g,h). 

Remark Suppose M is a generator matrix for an [n,k] -linear code C over ¥ q . Then a permutation k G S n is 
an automorphism of C if and only if there is an invertible matrix A G GL^F^) such that AMP n = P n , where 
P n denotes the permutation matrix corresponding to n. If M has full rank, there is exactly one such matrix 
A for each automorphism % of C. 



Theorem 21 (Stichtenoth 112 ill ). Suppose 1 < r <n — 3>. Then the automorphism group of the rational Goppa 
code ^(/i, • ■ • ,Y„,r,g,h) is isomorphic to a subgroup of Aut(¥ g (x)/¥q). 

Fact. The automorphism group of the rational function field ¥ q (x) /~¥ q is isomorphic to the projective linear 
group over ¥ q . In notations, Aut(¥ q (x)/¥ q ) ~ PGL 2 (F ? ). 

Let C = 'rf (71 , . . . , Yn j r, g, h) be a rational Goppa code. To give an intuition for how the automorphism 
group of C is embedded in PGL2(F^), consider a transformation a G PGL2(F^) and view each element 
a G ¥ q as the projective line [a : 1] (the point at infinity is written as [1 : 0]). Suppose a transforms [a : 1] to 
the projective line [b : 1], then we shall write a a = b. If a transforms each line [y,- : 1] to some line [jj : 1], 
then a induces another rational Goppa code: 

tf(oYi,...,OYn,r,g,h). 

If, further, ^(a/i, . . . , ay„,r,g,/j) equals the original code C, then a induces an automorphism of C. Stichtenoth's 
theorem establishes that every automorphism of C is induced by such a transformation in PGI_2(F g ). 
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C Supplemental proofs for GI_2(F g ) 
C.l Irreducible representations of GI_2(F 9 ) 

In this part, we will first present a preliminary background on the structure of GL 2 (F q ) followed by descrip- 
tion of its irreps. We refer readers to jj, §5.2] for the missing technical details in this part. 

Viewing GL 2 (F ? ) as the group of all F^-linear invertible endomorphisms of the quadratic extension F q 2 
of Fq, we have a large subgroup of GI_2(F 9 ) that is isomorphic to F* 2 via the identification: 

{/^gf; 2 }^f; 2 , 

where ft : F q i — > F q i is the F 9 -linear map given by ft (v) = £v for all v G F^2 . 

To turn each map into a matrix form, we fix a basis {1, 7} of F q i as a vector space over F q . For each 

% € F^2, writing t, = = x + yy for some x, y S F 9 , then the map /je corresponds to the matrix 

since (1) = x + yy and /je (7) = y 2 y + yx. Hence, we can rewrite the above identification as 

{(j ^ I^GF„x/Oorv/o}^F; 2 , 7 ^^,, v =x + yy. 

For example, if g is odd, choose a generator e of F*, then £ must be non-square in F q , which implies 
that { 1, "v/e} form a basis of F q 2 as a vector space over F q . In such a case, we can define £ X;y = x+yy/e. 

Conjugacy classes. Group GI_2(F 9 ) has four types of conjugacy classes in Table IC.ll with representatives 
described as follows: 



class 




[b x ] 


[C x ,y] = [Cy,x] 


fey] = 




xGFJ 


xeF q 


x,y <EF*,x/y 


x € F„y G F,* 


class size 


1 


<? 2 -l 


q 2 +q 


q l -q 


no. of classes 


q-\ 


q-1 


(9-l)(«-2) 
2 


2 



Table 1: Conjugacy classes of GI_2(F 9 ), where [g] denotes the class of representative g. 

There are q 2 — 1 conjugacy classes, hence there are exactly q 2 — 1 irreps of GI_2(F 9 ). We shall briefly 
describe below how to construct all those representations. 

Linear representations. For each character a : F* — > C* of the cyclic group F* , we have a one-dimensional 
representation U a of GI_2(F 9 ) defined by: 

U a (g) = a(det(jg)) VgGGL(2,^r). 
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To compute U a {d x ^ y ), we shall use the following fact: 

det C 7 ?) = N ° rm ^/ F " ( ^ } = ^ • ^> = ^ • 

Recall that there are q — 1 characters of F* = (e) corresponding to q — 1 places where the generator £ can 
be sent to. The linear representation U^, where CCq is the character sending £ to 1, is indeed the trivial 
representation, denoted U. 

Irreducible representations by action on P 1 (F ? ). G\-2(¥ q ) acts transitively on the projective line P 1 (F 9 ) 
in the natural way: 

fa b\ r . fa b\ 
[c d)- [x:y] = [c d) 

in which the stabilizer of the infinite point [1 : 0] is the Borel subgroup B: 

B= {(o d) \",dew*,be¥ q y 

The permutation representation of GI_2(F,j) given by this action on P 1 ^) has dimension q+ 1 and 
decomposes into the trivial representation U and a ^-dimensional representation V. The character of V is 
given as follows: 

Xv(a x ) = q Xv(b x ) = Xv(c x , y ) = 1 Xv(d x , y ) = -1 . 
By checking {Xv,Xv} = 1, we see that V is irreducible. Hence, for each of the q — 1 characters a of F*, we 
have a ^-dimensional irrep V a = V (g) U a . Note that V = V (g> £/. 

Irreducible representations induced from Borel subgroup B. For each pair of characters a,fi of F*, 
there is a character of the subgroup B: 

^p-.B^C* by fjj b \^a{a)fi{d). 

In other words, a p is a one-dimensional representation of subgroup B. Let W^p be the representation of 
GI_2(F 9 ) induced by (j> a R. By computing characters, we have 

' W U: p = Wp tU , 

' W a ,a=Ua®V a , and 

• W a p is irreducible for a ^ j3. Each of these representations has dimension equal the index of B in 
GL 2 (F 9 ), i.e., [GL{2,q):B]=q+l. 

There are ((<?— I) 2 — (q— l))/2 = (<?— — 2)/2 distinct iiTeps of this type. 

Irreducible representations by characters of F* 2 . Let q> : F* 2 — > C* be a character of the cyclic group 
F* 2 . Since F* 2 can be viewed as a subgroup of GI_2(F^), we have the induced representation Ind<p, which is 
not irreducible. However, it gives us a (q — 1) -dimensional irrep with character given by 

X<? = Xvm a ,i ~ Xw a ,i - Xindcp if <pIf; = a. 

Note that Ind<p ~ lnd(p q , thus X 9 ~ X 9 q. So, the characters <p of F* 2 with <p / <p q give a rise to the \q{q — 1) 
remaining irreps of GI_2(F 9 ). 

A summary of all irreducible characters of GI_2(F 9 ) is given in Table IC.ll below. 



x 

y 



[ax + by : cx + dy] , 
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p 


dp 


Z P (a x ) 


X P (bx) 




Xp{dx,y) 


U a 


1 


a(x 2 ) 


a{x 2 ) 


a(xy) 




V a 


q 


qa(x 2 ) 





a(xy) 


-am i ) 


W a3 (a ± p) 


q+l 


(q+l)a(x)P(x) 


a(x)P(x) 


a(x)P(y) + a(y)P(x) 







q-1 


(q-l)(p(x) 


-<p{x) 





-(9(^) + 9(^y)) 



Table 2: Character table of GI_2(F 9 ), where a,/3 are characters of F*, and q> is a character of 
F* 2 with (p q ytz cp, and J p = X p( a i) is the dimension of p. 



C.2 Proof of Lemma M 

In the remaining of this section, we devote to prove Lemma QT] which states that there are at most two 
linear representations appearing in the decomposition of p <g) p*, for any irrep p of GL2(F 9 ). Obviously, if 
p is linear then p (8) p* is the trivial representation. Therefore, we shall only consider the cases where p is 
non-linear. 

Recall that the multiplicity of U a in p (g) p* is given by 

(Xp® P *,Xu a ) = TFi L \X P (g)\ 2 Xu a (g) = 7^r(A(p,a)+B(p,a) + C(p,a)+D(p,a)), 
M g eG M 

where A (p, a), B(p, a), C(p, a), D(p, a)) are the sum of \% p (g)\ 2 Xu a G>) over au element g in the conjugacy 
classes with representatives of the form a x ,b x ,c x%y and d x>y , respectively. That is, from the description of 
conjugacy classes in Table IC .fl 

Mp,a)= £ \X P (a x )\ 2 Xu a (a x ) 



B{p,a) = {q 2 -l)Y j \Xp{b x )\ 2 XUa {b x ) 

C(p,a) = Uq 2 +q) £ \X P (c x ,v)\ 2 Xu a (c x ,y) 

X ,ye¥*^y 

D(p,a) = \{q 2 ~q) £ \X P (d x ,y)\ 2 Xu a (dx,y) ■ 
Z X ,ye¥ q ,y=iO 

Our goal below will be to show that {Xp®p*iXu a ) = f° r a ^ but two linear representations U a and for 
all non-linear iiTep p of GI_2(F 9 ). We begin with the following lemma. 

Lemma 22. Let F be a finite field and <p : F x — > C* be a non-trivial character of the cyclic group F x , i.e., 
(j)(x) \for some x. Then Y, x eF x = 0- 

Proof. Let n be the order of F x and let % be a generator of F x . Then % n = 1 which implies (t) b = 1 . Since 
is non-trivial, we must have 0(t) ^ 1. Hence, 

h— 1 n— 1 



n-l n-l ihfrY 1 — 1 

E*(*) = E*(t*) = E*(t)*=*^=o. 



□ 
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Note that for any character a of ¥*, the map a 2 : F* — > C* defined by a 2 (x) = a(x 2 ) is also a character 
of F*. Hence, we have the following direct corollaries of Lemma l22l 

Corollary 23. Let cube a character of F* such that a 2 is non-trivial. Then a ( x2 ) = 0- 

Corollary 24. Let p be an irrep o/GI_2(F 9 ) and let a be a character of¥* such that a is non-trivial. Then 
we always haveA(p,a) = B(p,a) = 0. 

Proof. Observe that | and \% p (b x )\ do not depend on x, and Xu a { a x) = Xu a {b x ) = a{x 2 ). Hence, to 

show A(p, a) =B(p,a) = 0, it suffices to use the fact that XixeF* 05 (x 2 ) — 0. LI 

Remark There are at most two characters a of F* such that a 2 is trivial. They are the trivial one, and 

the one that maps e — > (0^~ if q is odd, where CO = ei~ l is a primitive (q — 1) root of unity, and £ is a 
chosen generator of the cyclic group F*. To see this, suppose 05(e) = (O k , for some k G {0, 1, ... ,q — 2}. If 
Ol(e) 2 = 1, then (0 2k = 1, which implies q — 1 | 2k because ft) has order q — 1. Hence 2k £ {0,g — 1}. 

With this remark, Lemma[TT]will immediately follows Lemma [251 below. 

Lemma 25. Let p be a non-linear irrep o/GI_2(F 9 ) and let a be a character of¥* such that (X 2 is trivial. 
Then U a does not appear in the decomposition of p ® p*. 

Proof. We will prove case by case of p that C(p,a) = D(p,a) = 0, which, together with Corollary l24l will 
complete the proof for the lemma. 

Case p =Wp pi. For this case, as \Xwg g,(dx,y)\ =0. we only need to show C(Wp pi,a) =0. Considering 
x,y £ F* with x^y and letting z = x~ l y / 1, we have 

\zw^M,y)\ 2 = [P^)P\y)+P(y)P\m^^ 

= 2 + (5(xy- l )f3\yx- l )+P(yx- l )P\xy- 1 ) 
= 2 + j 8(z- 1 ) j 8'(z) + ^(z)/3'( z - 1 ) 

This means \%w ?fil {c x>y )\ 2 only depends on z = x~ l y. Now let y(z) = \Xw p ? , (c x . y )\ 2 cc(z), we have 

\Xw pp ,(c x ,y)\ 2 XU a (Cx,y) = \X\V p fl , (c x ,y)\ 2 a( X 2 Z ) = Y{z)a{x 2 ). 

Hence, 

E \Xp{c x ,y)\ 2 Xu a {c x ,y)= £ Y{z)a{x 2 ) 

x,yeW>,x^y x,ze¥*,z^l 

= \ I«(^ 2 )] ( I r(z))=o 

\xeF* J \z&* q ,z±\ J 
by Corollary l23l completing the proof for the case p = Wnw. 
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Case p = Vjj. Since |^ Vj3 (c tj> .) | = 1 and %u a {cx, y ) = oc{xy) = a(x)a(y). 



£ \XV, s {c X ,y)\ 2 XU a {c X ,y)= £ «W«(y) = £ - £ «(x 2 ) = 

.v,veF^y *,yeF*^y \*eF* y xeF; 

by Lemma l22l and Corollary l23l This shows C(V J g, a) = 0. 

Now we are going to show that D(Vp , a) = 0, or equivalently, L. v ,veF,,>^o a &-y 1 ) = 0- We have 

L«(^ +1 ) = £ <)+£<)= I «(^). 

^GF* 2 x,ye¥ q ,y^0 xeF* x,ye¥ q ,y^0 

where in the last equality, we apply Corollary [23] and the fact that 1 = xf 1+l = x 2 for all x £ F*. 

Consider the map : F* 2 ->■ C* given by 0(£) = a(^ +1 ). Clearly, is a character of F* 2 . Since a 2 is 
non-trivial and a 2 (x) = a(x 2 ) = a(x q+l ) = <p(x) for all x £ F*, the map <p is also non-trivial. By Lemma 
[221 we have £§ eF * a(^ +1 ) =0, which implies D(V J g,a) =0. 

Case p = Xy. As it is clear from the character table of GI_2(F 9 ) that C(X<p,a) = 0, it remains to show 
D(X 9 , a) = 0, or equivalently, D = L x ,y& q ,y^Q l<P(£c,y) + <P{&y)\ Z <*&f) = 0- We have 

A> = £ |<p(^) + <p(^)| 2 «(^ +1 )-I l<P(^o) + 9(^o)| 2 «(^o +1 )- 

£eF* 2 xeF* 



For t £ F* 2 , we have 

|<p(^) + (p(^0| 2 = (<?'^) + <?'(^ 7 ))(<?'^)" 1 + <?'(^)" 1 )=2 + <p(^" 1 ) + <P(^^)- 
Hence, since x^~ 1 = 1 for all x £ F* and by Corollary [23] 

D 2 = £(2 + <p(x^ 1 ) + ( p(x 1 ^))«^ +1 ) = 3 £ a(x 2 )=0. 

.xgF* .veF* 

The last thing we want to show is that D\ = 0. Consider the map (j) :F* 2 -»C* given by <j)(^) = <p(£ 9_1 )a(£ 9+1 ), 
which is apparently a character of F* 2 . We shall see that it is non-trivial. Let ft) be a generator of F* 2 . 

Since a* 2 - 1 = 1, we have (j)(co q+l ) = a(fti^ +1 ) 2 ) = a(ft) 2 te +1 )) = a 2 (co q+l ). On the other hand, (o q+l 
is a generator for F*, because ftj^w+i) with k = 0, 1, . . . ,q — 2 are distinct, and o)^ _1 '^ +1 ' = 1. Hence, if 
= 1, then a 2 (x) = 1 for all x £ F*. But since a 2 is non-trivial, we must have <p(co q+1 ) ^ 1, which 
means is non-trivial. Applying Lemma l22l we get J^teF* <p{E, q ~ l )(x{£, q+l ) = 0. Similarly, we also have 

LfeF* <P{V~ q ) a {E> q+l ) = 0- Combining with the fact that ^£e¥* a(£, q+x ) = 0, which has been proved in 

q 2 q 1 

the previous case, we have shown D\ = 0, completing the proof. 

□ 
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